mirror of
https://gitlab.freedesktop.org/wlroots/wlroots.git
synced 2024-11-26 00:52:21 +00:00
xcursor: Fix heap overflows when parsing malicious files
It is possible to trigger heap overflows due to an integer overflow
while parsing images.
The integer overflow occurs because the chosen limit 0x10000 for
dimensions is too large for 32 bit systems, because each pixel takes
4 bytes. Properly chosen values allow an overflow which in turn will
lead to less allocated memory than needed for subsequent reads.
See also:
https://cgit.freedesktop.org/xorg/lib/libXcursor/commit/?id=4794b5dd34688158fb51a2943032569d3780c4b8
5d201df72f
This commit is contained in:
parent
2bf482e90f
commit
de0a032d8e
@ -203,6 +203,11 @@ XcursorImageCreate (int width, int height)
|
|||||||
{
|
{
|
||||||
XcursorImage *image;
|
XcursorImage *image;
|
||||||
|
|
||||||
|
if (width < 0 || height < 0)
|
||||||
|
return NULL;
|
||||||
|
if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
|
||||||
|
return NULL;
|
||||||
|
|
||||||
image = malloc (sizeof (XcursorImage) +
|
image = malloc (sizeof (XcursorImage) +
|
||||||
width * height * sizeof (XcursorPixel));
|
width * height * sizeof (XcursorPixel));
|
||||||
if (!image)
|
if (!image)
|
||||||
@ -483,7 +488,8 @@ _XcursorReadImage (XcursorFile *file,
|
|||||||
if (!_XcursorReadUInt (file, &head.delay))
|
if (!_XcursorReadUInt (file, &head.delay))
|
||||||
return NULL;
|
return NULL;
|
||||||
/* sanity check data */
|
/* sanity check data */
|
||||||
if (head.width >= 0x10000 || head.height > 0x10000)
|
if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
|
||||||
|
head.height > XCURSOR_IMAGE_MAX_SIZE)
|
||||||
return NULL;
|
return NULL;
|
||||||
if (head.width == 0 || head.height == 0)
|
if (head.width == 0 || head.height == 0)
|
||||||
return NULL;
|
return NULL;
|
||||||
@ -877,9 +883,11 @@ load_all_cursors_from_dir(const char *path, int size,
|
|||||||
return;
|
return;
|
||||||
|
|
||||||
for(ent = readdir(dir); ent; ent = readdir(dir)) {
|
for(ent = readdir(dir); ent; ent = readdir(dir)) {
|
||||||
|
#ifdef _DIRENT_HAVE_D_TYPE
|
||||||
if (ent->d_type != DT_UNKNOWN &&
|
if (ent->d_type != DT_UNKNOWN &&
|
||||||
(ent->d_type != DT_REG && ent->d_type != DT_LNK))
|
(ent->d_type != DT_REG && ent->d_type != DT_LNK))
|
||||||
continue;
|
continue;
|
||||||
|
#endif
|
||||||
|
|
||||||
full = _XcursorBuildFullname(path, "", ent->d_name);
|
full = _XcursorBuildFullname(path, "", ent->d_name);
|
||||||
if (!full)
|
if (!full)
|
||||||
|
Loading…
Reference in New Issue
Block a user